New resource script to check for development-related vulns.

bug/bundler_fix
Pearce Barry 2017-10-25 10:11:25 -05:00
parent a2930935ba
commit 4fc0eb0cb3
No known key found for this signature in database
GPG Key ID: 0916F4DEA5C5DE0A
1 changed files with 118 additions and 0 deletions

View File

@ -0,0 +1,118 @@
<ruby>
#
# This resource script will check for vulnerabilities related to
# programs and services used by developers, including the following:
#
# * NodeJS debug (multi/misc/nodejs_v8_debugger)
# * distcc (unix/misc/distcc_exe)
# * Jenkins (linux/misc/jenkins_java_deserialize)
# * GitHub Enterprise (linux/http/github_enterprise_secret)
#
# It is worth noting that ONLY CHECKS are performed, no active exploiting.
# This makes it safe to run in many environments.
#
# Author:
# pbarry-r7
#
@job_ids = []
def wait_until_jobs_done
while true
@job_ids.each do |job_id|
current_job_ids = framework.jobs.keys.map { |e| e.to_i }
sleep 1 if current_job_ids.include?(job_id)
end
return
end
end
def check_exploit(host:, mod_name:, vuln_check_ret_val:)
begin
mod = framework.exploits.create(mod_name)
mod.datastore['RHOST'] = host.address
print_line("Looking for #{mod.name}...")
result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output})
@job_ids << mod.job_id if mod.job_id
if vuln_check_ret_val.index(result)
print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}")
framework.db.report_vuln(
workspace: mod.workspace,
host: mod.rhost,
name: mod.name,
info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.",
refs: mod.references
)
end
rescue ::Exception => e
print_error(e.message)
end
end
def setup
# Test and see if we have a database connected
begin
framework.db.hosts
rescue ::ActiveRecord::ConnectionNotEstablished
print_error("Database connection isn't established")
return false
end
run_single("setg verbose true")
true
end
def main
framework.db.workspace.hosts.each do |host|
print_line("Checking IP: #{host.address}, OS: #{host.os_name}...")
check_exploit(host: host,
mod_name: 'multi/misc/nodejs_v8_debugger',
vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
check_exploit(host: host,
mod_name: 'unix/misc/distcc_exec',
vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
check_exploit(host: host,
mod_name: 'unix/misc/qnx_qconn_exec',
vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
check_exploit(host: host,
mod_name: 'linux/misc/jenkins_java_deserialize',
vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
check_exploit(host: host,
mod_name: 'linux/http/github_enterprise_secret',
vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
check_exploit(host: host,
mod_name: 'multi/http/traq_plugin_exec',
vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
check_exploit(host: host,
mod_name: 'multi/http/builderengine_upload_exec',
vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
check_exploit(host: host,
mod_name: 'multi/http/mantisbt_php_exec',
vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
check_exploit(host: host,
mod_name: 'multi/http/vbulletin_unserialize',
vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
check_exploit(host: host,
mod_name: 'unix/webapp/vbulletin_vote_sqli_exec',
vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
end
wait_until_jobs_done
end
abort("Error during setup, exiting.") unless setup
main
</ruby>